Threat Watch

Slowing of Qakbot Campaigns Indicates Possible Hiatus Approaching

Over the last two days, Binary Defense has observed a reduction of Qakbot malware distribution campaigns. Typically, Qakbot releases a new botgroup each day, incrementing the botgroup counter by one for each new botgroup released. This has been a continuous trend since early April. However, recently Qakbot has been indicating the possibility of a hiatus, evident in part by the lack of new botgroup campaigns on both Wednesday and Thursday. This may be a sign that Durak Group is slowing down botnet operations in preparation for a break.

ANALYST NOTES

If Durak Group does decide to go on break, this is the perfect time to block all of the current Command and Control (C2) IP addresses, along with cleaning of possibly infected devices. Infected devices can be identified by regular network communication with the C2 servers or by host-based indicators of compromise. All the most recent Qakbot C2 server IP addresses can be found in the Binary Defense pulses on Open Threat Exchange (https://otx.alienvault.com/user/BinaryDefense/pulses) The break might not last very long, so Binary Defense recommends taking remediation actions sooner rather than later.